Re: [websec] Coordinating Frame-Options and CSP UI Safety directives

[=JeffH <Jeff.Hodges@KingsMountain.com>]

thanks for your thoughts Dave,

 > My concern is mostly around the degree to which a move to CSP might
 > complicate or stall the process.

by this I presume you mean the process of producing a spec for a standardized 
"frame-options" (i.e., the successor to "x-frame-options").

I don't think leveraging CSP as a framework, per se, would necessarily slow this 
down.

 >  I'd also prefer not to see additional use
 > cases pop up (eg: click fraud prevention) that just were never in scope
 > before.

I think it's reasonable to discuss whether the "frame-options" policy directive 
(aka "frame-ancestors", "embed-ancestors") should be specified as a part of the 
nascent "UI Safety directives" spec (in W3C WebAppSec), or the CSP 1.1 spec (in 
W3C WebAppSec), or as a stand-alone spec.


 > I think that w.r.t. header bloat,

Ah, so there's two aspects to "header bloat" in this discussion..

1. "header bloat" in relation to possibly defining yet another HTTP header field 
to convey a security policy, i.e. a stand-alone "frame-options" header field.

2. "header value bloat" in terms of having a header field into which server 
operators may feel obliged to cram a huge list of items (i.e., origins).

 From a high-level perspective, casting "frame-options" as a CSP directive 
works towards addressing (1).


 > the most sensible approach is to only allow one origin to be specified.

And this statement is addressing (2).


 > CSP by-design facilitates the use of multiple origins.

However, the ABNF of any particular CSP directive can be crafted in order to 
allow only one origin to be specified as a value, e.g. like so..

   directive-name  = "frame-options"
   directive-value = host-source

[ where host-source is defined as..

   host-source       = [ scheme "://" ] host [ port ]
]

 > As we've discussed w/Frame-Options, there is a design pattern to
 > make the more basic single-origin approach functional.

understood.

(fwiw, I'd term what you're calling a "design pattern" as a "implementation and 
deployment technique")


 > With regard to obsolescence of X-FRAME-OPTIONS, it's easy to specify exactly
 > what happens in the FRAME-OPTIONS spec.  I don't see that CSP inherently
 > improves on that but I may be missing something there.

regardless of which specification vehicle we use for the "frame-options" policy 
directive, we'll be able to denote (in some fashion) that it supersedes the old 
"x-frame-options" header. (this is going to be somewhat messy in any case)


 > The advantage I see of bringing FRAME-OPTIONS into CSP is that it makes CSP
 > more comprehensive.  But I suspect there are plenty of other header-related
 > security features that aren't defined by CSP (eg: the origin header, cookie
 > security).

well, of course CSP doesn't encompass "everything" and isn't intended to. But we 
certainly should be carefully considering consolidating  policy directive 
conveyance as appropriate, and the "frame-options" (aka "frame-ancestors", 
"embed-ancestors") notion seems to fall reasonably within the "content security 
policy" space -- a key aspect being that it is regarding a particular resource 
representation (as I presently understand it).


 > Finally, as Brad pointed out in the rosetta stone thread, Frame-Options
 > provides the flexibility to perform only a top level origin check as opposed
 > to a full ancestor check.  (Specified via the "AllAncestors" flag.)

Well, the "AllAncestors" flag can certainly be added to a CSP-based 
"frame-options" policy directive. e.g. by defining a new "keyword-source" of 
'all-ancestors'.

=JeffH